Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Garry Bain 149 posts 124 karma points
    Oct 15, 2010 @ 10:47
    Garry Bain
    0

    Changing passwords back to Hashed after upgrade

    Hi everyone,

    I've just completed an upgrade from 4.0.2.1 to 4.5.2 but I still have a question.

    One of the steps to perform is to change the passwords from "Hashed" to "Clear" in web.config so you can actually log in. However, how do you change it back to "Hashed" and get all of your passwords hashed?

    I presume you have to do this step so you can actually have the full upgraded version working as it is supposed to? Or is it optional to have passwords hashed or clear text?

    Cheers,
    Garry.

  • Kris Janssen 210 posts 568 karma points c-trib
    Oct 15, 2010 @ 21:50
    Kris Janssen
    0

    If you know the hash function used by Umbraco it is easy as pie to just hash the passwords that are stored plain text in the DB and replace them with the hashed version. Then change the config files and you're ready to go...

    I belive this is the relevant code (Member.cs):

     public string EncodePassword(string password, MembershipPasswordFormat pwFormat)
                {
                    string encodedPassword = password;
                    switch (pwFormat)
                    {
                        case MembershipPasswordFormat.Clear:
                            break;
                        case MembershipPasswordFormat.Encrypted:
                            encodedPassword =
                              Convert.ToBase64String(EncryptPassword(Encoding.Unicode.GetBytes(password)));
                            break;
                        case MembershipPasswordFormat.Hashed:
                            HMACSHA1 hash = new HMACSHA1();
                            hash.Key = Encoding.Unicode.GetBytes(password);
                            encodedPassword =
                              Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));
                            break;
                    }
                    return encodedPassword;
                }

    Which would imply that SHA1 is used for hashing. If that is the case it should be simple enough to write a small helper util that would read all values for the passwords, hash them and write them back to the DB.

    Basically keep the code for the last case and run... I do not have sufficient time now but maybe someone else here could set you up?

  • Dirk De Grave 4534 posts 5980 karma points MVP 3x admin c-trib
    Oct 17, 2010 @ 10:49
    Dirk De Grave
    0

    Garry,

    I'm bit surprised by your statement that you need to change passwords to upgrade from a v4.0.2.1 to a v4.5.2 umbraco instance. I've been doing 2 upgrades over the last week, and I don't do anything with changing the way passwords are stored.

    So, if you could find that reference, I'd be glad to read a bit more about it.

     

    Cheers,

    /Dirk

  • Garry Bain 149 posts 124 karma points
    Oct 17, 2010 @ 11:03
    Garry Bain
    0

    Hi Dirk,

    The passwords in my database were initially in clear text, however in version 4.5.2 the web.config has these passwords stored as "Hashed" - therefore after doing the upgrade I had to change the web.config back to "Clear" in order to log into the back end of Umbraco.

    I was also following some steps on http://www.karlkopp.com/blog/2010/7/27/upgrading-umbraco-40x-to-45x if you look at step 7 you can see what I'm refering to.

    Cheers,
    Garry.

  • Dirk De Grave 4534 posts 5980 karma points MVP 3x admin c-trib
    Oct 17, 2010 @ 11:06
    Dirk De Grave
    0

    Ok, that makes sense, didn't know about this reference.

     

    Cheers,

    /Dirk

  • Kris Janssen 210 posts 568 karma points c-trib
    Oct 17, 2010 @ 11:10
    Kris Janssen
    0

    Hi Dirk,

    Like Garry said... it seems the default setting in web.config changed from "Clear" to "Plain".

    Of course, this can lead to surprises when upgrading. I also had an issue like that some days ago. Obviously, when these defaults change, users might ask themselves how to change over their own settings to this new default. I for one was faced with the fact that I saw the plain text passwords of my users in the DB when trying to solve an issue, knowing that many users will use the same passwords for different accounts this might create 'ethical' issues. A way to hash all passwords in the DB might therefore be useful.

  • Dirk De Grave 4534 posts 5980 karma points MVP 3x admin c-trib
    Oct 17, 2010 @ 11:16
    Dirk De Grave
    0

    Fair point Kris, and totally agree, and thanks for sharing that piece of code for others to enjoy.

     

    Cheers,

    /Dirk

  • Kris Janssen 210 posts 568 karma points c-trib
    Oct 17, 2010 @ 11:32
    Kris Janssen
    1

    Wrote a simple console app to generate the hashes. I only have 50 or so users so it won't be a big deal to do the update manually. Also, maybe it is wisest to do the update in a manual way, one by one, imagine you have an automated app working on the DB directly, if you accidentally run it twice you'll be in a world of trouble :)

    Just compile and run...

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using System.Security.Cryptography;
    
    namespace PasswordHasher
    {
        class Program
        {
            static void Main(string[] args)
            {
                while (true) // Loop indefinitely
                {
                    Console.WriteLine("Enter password to hash or type 'exit':"); // Prompt
                    string password = Console.ReadLine(); // Get string from user
                    if (password == "exit") // Check string
                    {
                        break;
                    }
                    else
                    {
                        HMACSHA1 hash = new HMACSHA1();
                        hash.Key = Encoding.Unicode.GetBytes(password);
    
                        string encodedPassword =
                          Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));
    
                        Console.WriteLine(encodedPassword);
                    }
                }
            }
        }
    }
  • Seth Niemuth 275 posts 397 karma points
    Dec 22, 2013 @ 20:10
    Seth Niemuth
    0

    I had about 3000 users and 20 members from a version 3 of umbraco that I upgraded to version 6.1.6, so I wrote some code which I just called from a usercontrol that I put on a dashboard. I knew that I was converting to Hashed passwords. Obviously make sure to backup the database/users and members table before running because if this runs twice then they are all messed up (hashed twice). Also, make sure to update your web.config so that the password format is now Hashed instead of Clear for both users and members. Definitely remove the dll you dropped in to run the code as well as you don't want it ever running again.

     public class ChangePasswordsService
        {
    
            public void ChangeAllMemberPasswords()
            {
                var allMembers = Member.GetAll;
    
                foreach (var member in allMembers)
                {
                    member.ChangePassword(EncodeHashPassword(member.Password));
                    member.Save();
                }
            }
    
            public void ChangeAllUserPasswords()
            {
                var allUsers = User.getAll();
    
                foreach (var user in allUsers)
                {
                    user.Password = (EncodeHashPassword(user.GetPassword()));
                    user.Save();
                }
            }
    
            private string EncodeHashPassword(string password)
            {
                string encodedPassword = password;
    
                HMACSHA1 hash = new HMACSHA1();
                hash.Key = Encoding.Unicode.GetBytes(password);
                encodedPassword =
                  Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));
                return encodedPassword;
            }
        }
Please Sign in or register to post replies

Write your reply to:

Draft